openpyn-nordvpn icon indicating copy to clipboard operation
openpyn-nordvpn copied to clipboard

Published 20 hours ago verified publisher icon jotyGill

no killswitch during start and restart

Open hermann2971 opened this issue 5 years ago • 4 comments

Thanks for this great tool. I just installed it and did some tests. The killswitch works when no vpn connection is established. But during start or restart there is no blocking and all traffic goes through standard connection. Is there any possibillity to solve this issue?

Thanks a lot!

hermann2971 avatar Sep 15 '18 22:09 hermann2971

Cheers. Well, when we are manually starting it with '-f' switch it needs to clear IPtables rules and apply new ones. But I see what you mean. When it is restarted or the connection completely dies and openpyn has to find a new server, Ideally traffic should be blocked during this time. The problem is, you can't talk to NordVPN's api or it's other servers without dropping the rules. So in the current situation either we can have the functionality of being able to switch to another server when connection dies (leaking traffic during transition) or not have the ability to auto fail-over to another server. I agree that traffic shouldn't be leaked unless at least the user manually restarts openpyn. I will rework the design to fix it.

jotyGill avatar Sep 18 '18 04:09 jotyGill

Hi, thank you for your reply. Maybe it is possible to choose if the firewall should be temporary or permanent. And if the firewall is permanent you could ping the url of nordvpn api to get the ip and then create an exception for iptables (maybe ip will not change often). For permanent iptables it would also be great that stop of the service will not flush the tables. At the moment I have to change the service file manually to change behavior - just kill connection but do nut flush.

Thanks a lot

hermann2971 avatar Sep 18 '18 19:09 hermann2971

@hermann2971

For permanent iptables it would also be great that stop of the service will not flush the tables.

I agree, and I opened an issue for it in #202. I think the ideas of using custom iptables chains, and iptables -I to insert rules at the beginning of chains will help in the auto fail-over design.

ISO-morphism avatar Sep 27 '18 06:09 ISO-morphism

Any progress on this? I see that nordvpn has released a linux app, but I would like to stick to this wonderful open source project!

larry77 avatar Jun 08 '19 11:06 larry77